Security audit

Neomano Binance Assets (Read-only)

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed read-only Binance balance checker, but it requires API credentials and will display financial holdings.

Install only if you are comfortable giving the agent access to read your Binance Spot balances. Create a Binance API key with reading only, keep trading and withdrawals disabled, consider an IP allowlist, and treat the printed asset list as private financial information.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 94% confidence
Finding: The skill requires sensitive environment variables and performs network access, but it does not declare explicit permissions for those capabilities. This weakens platform-level governance and review because users and automation cannot clearly see that the skill reads API credentials and sends authenticated requests to an external service.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal